Iran-Linked Cyber Activity Escalates Alongside Military Conflict. Infrastructure Attacks, Data Breaches, and GPS Disruption Reported
Cyber activity linked to Iran intensified rapidly following military escalation in the Middle East at the end of February 2026, extending the conflict into digital and electronic domains within hours.
According to multiple threat intelligence reports, coordinated cyber operations targeted organizations across the United States, Israel, and Gulf Cooperation Council (GCC) countries, alongside parallel electronic warfare activity affecting regional infrastructure.
Hacktivist Mobilization and Coordinated Attacks
Shortly after the initial military strikes on February 28, multiple Iran-aligned hacktivist groups launched coordinated campaigns.
Groups identified in open-source reporting include:
Cyber Islamic Resistance
Fatimion Cyber Team
Cyber Fattah
DieNet
Sylhet Gang-SG
These groups conducted:
DDoS attacks against public-facing services
Website defacement campaigns
Data theft and publication attempts
Data-wiping operations targeting organizational systems
At the same time, pro-Western hacktivist groups targeted Iranian government portals, media platforms, and religious applications, contributing to a continuous cycle of offensive activity.
Targeted Incidents and Sector Impact
Threat intelligence analysis identified escalation by several Iran-linked actors, including newly observed groups that published targeted lists of individuals across multiple industries in Israel.
On March 11, 2026, the Handala Hack Team claimed responsibility for a cyberattack against a U.S.-based medical technology company, reporting:
disruption of internal systems
exfiltration of sensitive data
public framing of the attack as retaliation for military actions
The incident highlights the direct linkage between cyber operations and geopolitical events.
Exploitation of Known Vulnerabilities and Access Vectors
Attackers relied primarily on speed and available access rather than zero-day exploitation.
Observed techniques include:
use of credentials obtained via infostealer malware
access to exposed web panels and applications
targeting of internet-facing infrastructure
scanning for vulnerable IoT devices
Active exploitation targeted surveillance systems, including:
Hikvision vulnerabilities: CVE-2017-7921, CVE-2021-36260, CVE-2023-6895, CVE-2025-34067
Dahua vulnerability: CVE-2021-33044
All listed vulnerabilities have available patches, indicating that exposure resulted from delayed remediation and unmanaged devices.
Regional Spillover and Infrastructure Impact
The cyber campaign extended beyond primary targets.
Media platforms, websites, and applications in Pakistan were affected, prompting investigation by the national CERT
Cloud infrastructure in the UAE and Bahrain experienced operational disruption following drone strikes targeting data center facilities
The scale of activity suggests a broad, interconnected operational environment rather than isolated incidents
GPS Spoofing and Electronic Warfare Activity
In parallel with cyber operations, large-scale GPS spoofing and jamming activity was reported across the region.
Within the first 24 hours:
Over 1,100 commercial vessels reported navigation anomalies
Systems displayed incorrect positioning, including airports and inland locations
According to maritime intelligence data:
More than 1,700 GPS interference events affected over 650 vessels in the first week
By March 7, over 1,650 vessels experienced GPS disruption
The number of jamming clusters increased rapidly in the first 48 hours
The activity represents one of the most extensive GPS disruption campaigns observed in a conflict environment.
Operational Risk for Critical Systems
GPS and GNSS disruption impacts:
maritime navigation
aviation systems
industrial control systems (ICS)
logistics and supply chains
Organizations relying on geolocation data face increased operational risk when interference occurs.
Conclusion
The current escalation demonstrates how cyber operations, electronic warfare, and physical conflict are increasingly integrated.
The observed activity reflects a shift toward multi-layered conflict models, where digital infrastructure becomes an immediate and active component of escalation.
Sources
Resecurity. “Iran-Linked Cyber Campaigns and Islamic Resilience Cyber Axis Analysis”, March 2026
Resecurity Threat Intelligence Reports on Handala Hack Team Activity
Windward Maritime Intelligence. “GPS Jamming and Spoofing Activity in the Persian Gulf”, March 2026
Lloyd’s List Intelligence. “GNSS Interference Events Affecting Commercial Shipping”, March 2026
National CERT Pakistan. Incident Investigation Reports on Media and Digital Service Disruptions
Public vulnerability databases (NVD, CISA) for CVE references
Open-source intelligence (OSINT) monitoring of hacktivist group activity
